SSL - Forward Secrecy (or Perfect Forward Secrecy)

[Chris.M]

I was discussing this with a KH support crew member last week, actually. I recently decided to implement an SSL certificate on my personal website, and will be doing the same for another project at some point this week. Just for the hell of it, I ran the domain through the Qualys SSL Labs scan. The results were pleasing, with the exception of one little tidbit: the lack of Forward Secrecy support.

Did a bit of research on how one would go about implementing Forward Secrecy, and it was something that I wasn't comfortable with doing. To make a long story short, the configuration that I want to use is apparently not compatible with cPanel servers. (For reference, this is the configuration I'm referring to.) Software compatibility-wise, everything seems to check out... but cPanel blocks the configuration itself. Didn't want to pursue this further at the time as it was really a low-priority matter, but it does intrigue me. Is this something that the folks over at cPanel are actively pursuing? Perhaps there's another way to go about enabling support for Forward Secrecy successfully?

Curious to see if anyone else has stumbled into this. It doesn't seem to be necessary, but more of an added layer of security on top of everything else. And honestly, that's what I'm aiming for.

Chris

 

[Dan]

Morning Chris,

I ran a quick search at the cPanel forums and came up with a few posts. This was the most recent one and cPanelMichael in post #4 talks about a feature request and a work around. I suggest going to the feature request and hitting the like button and maybe even taking a look at the work around.

 

[Chris.M]

Hey there Dan,

Appreciate the provided link, and am glad to see that this is something that is being requested by fellow cPanel users. I'll look into that workaround and perhaps attempt to get it running. I'm still surprised this hasn't already been implemented as default functionality.

Thanks again!

 

[Mark NYC]

I ran into the same problem some time ago.

If you use the right cipher suite, PFS should not be a problem - I use (found here):

[PRE]ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-DSS-AES128-SHA256HE-RSA-AES256-SHA256HE-DSS-AES256-SHAHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AESES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK[/PRE]

SSL Labs shows PFS working for most browsers...

 

[Mark NYC]

Hmmm, problem with formatting - cipher suite attached...

 

[Chris.M]

Mark, this is fantastic. I'm going to give this a try within the next day or so. Thank you, sir!

 

[Mark NYC]

You are welcome !

I have received this from the guys of SSLPOINT (my ssl provider for some time now) - so credits go to them

The above cipher suite is backward compatible up to XP / IE 6 (I use it because nearly 25% of internet users still use Windows XP and a tighter cipher suite would not work when they visit the sites of my clients).

However, I received a second cipher suite from sslpoint - it provides a higher level of security, but does not work with XP - see attached. You may give it a try if you need a more hardened ssl setup...

 

[franky303]

There is an updated list as of mid-2019, got it from interssl and it gives me highest scores on all well-known SSL tests:

# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED -DES-CBC3-SHA -DES-CBC-SHA RSA !aNULL !eNULL !LOW -3DES !MD5 !EXP !PSK !SRP DSS !RC4 -EDH-RSA-DES-CBC-SHA -EDH-RSA-DES-CBC3-SHA -ADH-DES-CBC-SHA -ADH-DES-CBC3-SHA -DES-CBC-SHA AES128-SHA kRSA -DES-CBC3-SHA"

The above format is ready-to use for apache /etc/apache2/mods-enabled/ssl.conf ...